[rpms/tailscale] f44: update to 1.98.4

[rpms/tailscale] f44: update to 1.98.4

[Jonathan Wright]

            A new commit has been pushed.

            Repo   : rpms/tailscale
            Branch : f44
            Commit : b520b3c5abf0b95976c87fcd8047e500afce3205
            Author : Jonathan Wright <jonathan@almalinux.org>
            Date   : 2026-05-31T08:03:48-05:00
            Stats  : +20/-3 in 4 file(s)
            URL    : https://src.fedoraproject.org/rpms/tailscale/c/b520b3c5abf0b95976c87fcd8047e500afce3205?branch=f44

            Log:
            update to 1.98.4
- Allow nftables to satisfy firewall dependency in lieu of iptables rhbz#2453924
- Fix 45s timeout on shutdowns in certain cases rhbz#2440864
- Fixes CVE-2026-34165 rhbz#2454571
- Fixes CVE-2026-33762 rhbz#2454572

---
diff --git a/.gitignore b/.gitignore
index 81afbc5..6a9d086 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@
 /tailscale-1.92.5-vendored.tar.xz
 /tailscale-1.94.2-vendored.tar.xz
 /tailscale-1.98.3-vendored.tar.xz
+/tailscale-1.98.4-vendored.tar.xz

diff --git a/sources b/sources
index 7cf991e..e8e59c7 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (tailscale-1.98.3-vendored.tar.xz) = d7baaac3529bdb9b0b039a3565a656bb474eb699b0f4660705a9fa7d7dcddc378ffcc16b612088f9e6d5152cea2dad34c362f45685f08ae2a22bb39a4509315d
+SHA512 (tailscale-1.98.4-vendored.tar.xz) = 33a5084ba5ab5e8bb6600fe19a960f8d552d5202b2b20eeb2b7430cc69dfe40ac7d21f2f8715e9e69318213a23c59645b37b6e2b04f891dd01a5d76dc70e0042

diff --git a/tailscale.spec b/tailscale.spec
index 1c6e218..db2d288 100644
--- a/tailscale.spec
+++ b/tailscale.spec
@@ -9,7 +9,7 @@
 
 # https://github.com/tailscale/tailscale
 %global goipath         github.com/tailscale/tailscale
-Version:                1.98.3
+Version:                1.98.4
 
 %if 0%{?rhel}
 %gometa
@@ -38,7 +38,8 @@ Patch:          tailscale-1.92.5-systray-unit.patch
 
 BuildRequires:     systemd-rpm-macros
 Requires:          iproute
-Requires:          iptables
+Requires:          (iptables or nftables)
+Recommends:        nftables
 
 # BSD-3-Clause
 Provides:       bundled(golang(filippo.io/mkcert)) = v1.4.4
@@ -1108,6 +1109,13 @@ install -dpm 600 %{buildroot}%{_localstatedir}/cache/tailscale
 
 
 %changelog
+* Sun May 31 2026 Jonathan Wright <jonathan@almalinux.org> - 1.98.4-1
+- update to 1.98.4
+- Allow nftables to satisfy firewall dependency in lieu of iptables rhbz#2453924
+- Fix 45s timeout on shutdowns in certain cases rhbz#2440864
+- Fixes CVE-2026-34165 rhbz#2454571
+- Fixes CVE-2026-33762 rhbz#2454572
+
 * Sun May 31 2026 Jonathan Wright <jonathan@almalinux.org> - 1.98.3-1
 - update to 1.98.3 rhbz#2448765
 

diff --git a/tailscaled.service b/tailscaled.service
index e37f87c..76a55c7 100644
--- a/tailscaled.service
+++ b/tailscaled.service
@@ -2,7 +2,12 @@
 Description=Tailscale node agent
 Documentation=https://tailscale.com/kb/
 Wants=network-pre.target
+# upstream
 After=network-pre.target NetworkManager.service systemd-resolved.service
+# fedora
+# https://bugzilla.redhat.com/show_bug.cgi?id=2440864
+# https://github.com/tailscale/tailscale/issues/3932#issuecomment-3924041096
+After=wpa_supplicant.service iwd.service
 
 [Service]
 # Set the port to listen on for incoming VPN packets.
@@ -10,6 +15,9 @@ After=network-pre.target NetworkManager.service systemd-resolved.service
 # but you might want to configure this in order to set external firewall
 # settings.
 Environment="PORT=41641"
+# Prefer nftables over iptables with automatic detection and fallback to iptables
+# https://tailscale.com/docs/features/firewall-mode#heuristic
+Environment="TS_DEBUG_FIREWALL_MODE=auto"
 ExecStart=/usr/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT}
 ExecStopPost=/usr/bin/tailscaled --cleanup